Sony said Thursday that it is investigating reports that its SonyPictures.com database was hacked. The group that claimed responsibility for the hack, meanwhile, appears to be setting its sites on the FBI.
"We are looking into the claims about reports of attacks on Sony Pictures websites. Please follow us for latest updates," Sony said in a Thursday tweet.
Yesterday, a group that identifies itself as LulzSec said it hacked into SonyPictures.com and compromised the personal information of more than 1 million users. "Releasing some @Sony embarrassment in a few minutes. Just finishing our torrent!" the group tweeted.
The news came the same day that Sony brought the Sony PlayStation store back online and appeared on Capitol Hill to say there was no "clear evidence" that hackers accessed credit card information on its PlayStation Network. The company, however, said it and other tech companies are vulnerable to future attacks absent any action from Congress.
This morning, LulzSec designated today as F**kFBIFriday, "wherein we sit and laugh at the FBI. No times decided, but we'll cook up something nice for tonight," the group promised.
LulzSec did not elaborate on why it might be targeting the FBI, but the agency has been investigating cyber attacks by another cyber vigilante group, Anonymous. In February, a grand jury started looking through mobile phones, computer hard drives, and other items seized by the FBI in connection with Anonymous, which launched distributed denial of service (DDoS) attacks on companies that had severed ties to WikiLeaks. The agency is also investigating a recent hack of Gmail accounts that reportedly have ties to China.
That's nice, but what actually happened and how does this affect you? See below for some answers.
What happened this time?
A group that identifies itself as LulzSec claims to have hacked into SonyPictures.com and compromised the accounts of more than 1 million users.
Wasn't Sony supposed to be improving its systems? What happened?
LulzSec said it accessed SonyPictures.com via a "very simple SQL injection," which it called primitive. "From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?" LulzSec asked.
So no encryption?
No, according to LulzSec. "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," the group said.
What type of data do they have?
LulzSec said it accessed personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. The group said it also has all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons."
So, LulzSec is just sitting on the records of 1 million users?
Due to financial constraints, the group said it was unable to copy all the information available on the Sony servers. But "we have samples for you in our files to prove its authenticity," LulzSec said. "In theory we could have taken every last bit of information, but it would have taken several more weeks."
Super. What do I do?
Fortunately, the hack does not appear to involve any direct credit card or financial data. But if you use the same password all over the Web—like for online banking or credit card payments—others accounts could be compromised. As a result, you might want to change your password asap and enable things like two-factor authentication on services that offer it. LulzSec isn't exactly keeping your data under lock and key. "I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere," the group tweeted earlier. It also urged "innocent people whose data we leaked" to blame Sony.
Is my information still out there?
LulzSec initially posted the data to MediaFire, but the company removed the file for a violation of its terms. The group also says the data is available via its Web site, lulzsecurity.com, but that site is currently inaccessible. On Twitter, however, LulzSec posted a link to a Pirate Bay torrent of the file.
Who is LulzSecurity?
The group describes itself as "a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun." The group also claimed responsibility for hacks of PBS and Fox.
Is someone going after them?
The group said its site "has received attacks non-stop since literally 2 minutes after we tweeted" the Sony leak data. That, however, "doesn't affect leaks in the slightest," LulzSec claims. If Sony determines its data was compromised, it's obligated to alert the authorities, which will likely conduct an investigation.
Will that stop LulzSec?
Not likely. The group has promised that "the hacks and leaks will always continue, even if twitter suspends our account."